While developing a custom image for a new HP T620 thin client with Windows Embedded Standard 7, I came across the obvious security question: Do WES7 Thin Clients need Antivirus Software to be HIPAA Compliant? Not being sure whether it is an industry standard to include antivirus software for thin clients, I posted the question in a number of IT forums. There was conflicting response from our online community of experts, both with good reasoning behind their assertions.
Why would you not include antivirus software on a thin client? For a number of reasons actually. Adding antivirus clients to all thin clients is more costly. It can also be viewed as overkill since the client is just a sort of viewer or dumb terminal that connects the user to his/her published desktop or applications. Assuming that the connections are encrypted and there is no data stored locally, why go to greater, more costly lengths in protecting the thin client? As a matter of fact, a selling point for several thin client vendors is that thin clients help eliminate cost because they do not require antivirus software installed locally.
Being that the server hosting the services is already protected by antivirus software, having it on both machines might appear to be overly cautious. Furthermore, the thin client’s embedded OS is a stripped down version that has lesser functionality and services running, so the risk of infection is less. Locking down the client even more by modifying local policies, accounts and applications also minimizes risk.
So where do I stand on whether Thin Clients need Antivirus Software? I have to agree that antivirus software on thin clients is best practice in my opinion. As other IT professionals stated, the fact that the machine is running services and is connected to the LAN puts it at risk of infection even though the risk is small. If malware is already present in the LAN or is brought in through the use of USBs, then the risk of infection for thin clients is greater than if they had antivirus software installed.
Do WES7 Thin Clients need Antivirus Software to be HIPAA Compliant? The short answer is no. I don’t consider that thin clients need antivirus software to be HIPAA compliant because it is not specifically required that all machines connected to the LAN have antivirus software installed.
The following was quoted from an online source and states:
Standard 164.308(a)(5)(ii)(B): PROTECTION FROM MALICIOUS SOFTWARE: (The Covered Entity must implement) “Procedures for guarding against, detecting, and reporting malicious software.” – See more at: http://www.physicianspractice.com/blog/hipaa-compliant-antivirus-protected-computers-can-still-get-i…
The rule doesn’t make it very clear and is at the organization’s discretion just how to address this. For example, one could “address” this by implementing firewalls and/or security appliances that have antivirus built in such as Cisco Meraki MX80 (which we are using) that protects the LAN. Additionally, the thin client itself, does not store ePHI locally. Thus, one might argue that the servers hosting the published desktops have antivirus software to address this section of HIPAA.
On the other hand, I can tell you that on one occasion I had to run on-demand virus removal tools on a thin client because it was infected with malware. I was alerted to it by the Meraki appliance. My guess is that a PC user downloaded the malware and it spread to the thin client that was sitting unprotected on the same LAN.
Thus, while having antivirus software on thin clients is not necessary to be HIPAA compliant, I consider it a best practice because depending on the type of infection, it could spread to other machines in the LAN, perhaps even shared files and folders hosted on servers.